feat!: upgrade from node12 to node20

.eslintrc.json

@@ -9,6 +9,7 @@
     },
     "rules": {
       "eslint-comments/no-use": "off",
+      "i18n-text/no-en": "off",
       "import/no-namespace": "off",
       "no-unused-vars": "off",
       "@typescript-eslint/no-unused-vars": "error",

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - run: rm -rf ./dist
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/test.yml

@@ -5,17 +5,87 @@ on: # rebuild any PRs and main branch changes
     branches:
       - main
       - 'releases/*'
+    paths:
+      - '!**/*.md'
 
 jobs:
   build: # make sure build/ci work properly
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - name: Adding required env vars
+        # https://github.com/orgs/community/discussions/42856#discussioncomment-7678867
+        uses: actions/github-script@v7
+        env:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          script: |
+            core.exportVariable('ACTIONS_RESULTS_URL', process.env['ACTIONS_RESULTS_URL'])
+            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env['ACTIONS_RUNTIME_TOKEN'])
+            core.exportVariable('ACTIONS_RUNTIME_URL', process.env['ACTIONS_RUNTIME_URL'])
       - run: |
-          npm install
-      - run: |
-          npm run all
+          mv __tests__/report_json.json ./report_json.json
+          npm install && npm run all
+
   test: # make sure the action works on a clean machine without building
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    env:
+      DYNAMIC_ACTION: ./.dynamic-action
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+
+      - name: Move test report to root
+        run: mv __tests__/report_json.json ./report_json.json
+
+      - name: Define branch to test
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          REPO: ${{ github.repository }}
+        run: 
+          echo "action=$REPO/$BRANCH" >> $GITHUB_ENV
+
+      - name: Prepare composite action
+        # https://github.com/orgs/community/discussions/63675#discussioncomment-6820562
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const path = require('path');
+            const fs = require('fs/promises');
+            const dyn = '${{ env.DYNAMIC_ACTION }}';
+            const action = {
+              runs: {
+                using: 'composite',
+                steps: [
+                  {
+                    // clean up dynamically created action
+                    name: 'Cleanup',
+                    uses: `actions/github-script@${{ github.action_ref }}`,
+                    with: {
+                      script: `await io.rmRF('${dyn}')`
+                    }
+                  },
+                  {
+                    name: `Create sarif file from zaproxy results`,
+                    uses: `${{ github.repository }}@${{ github.head_ref || github.ref_name }}`
+                  }
+                ]
+              }
+            };
+            const content = JSON.stringify(action);
+            core.debug(`Writing action:\n${content}\n`);
+            await io.mkdirP(dyn);
+            await fs.writeFile(path.join(dyn, 'action.yml'), content);
+
+      - name: Run tests dynamically injecting branch name
+        uses: ./.dynamic-action
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif

README.md

@@ -4,6 +4,17 @@ Use this GitHub Action together with [GitHub Advanced Security](https://github.c
 
 This Action leverages the official [zaproxy/action-baseline](https://github.com/zaproxy/action-baseline) Action which supports various options like [custom rule sets](https://github.com/zaproxy/action-baseline#rules_file_name) and [target url](https://github.com/zaproxy/action-baseline#target). 
 
+## Table of contents
+- [Background](#background)
+- [What is looks like](#what-is-looks-like)
+- [Getting started](#getting-started)
+  - [Required permissions](#required-permissions)
+  - [Use with (public-facing) URLs](#use-with-public-facing-urls)
+  - [Use with containers](#use-with-containers)
+  - [Use with Pull Requests](#use-with-pull-requests)
+- [Development](#development)
+- [Publish to a distribution branch](#publish-to-a-distribution-branch)
+
 ## Background
 GitHub Advanced Security utilizes the [SARIF (Static Analysis Results Interchange) format](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) to present code scanning results of a wide range of [static code analysis tools](https://github.blog/2021-07-28-new-code-scanning-integrations-open-source-security-tools/). As DAST scans are not static they can't be directly mapped to individual lines in the original source file but only to a specific URL or endpoint of the application. 
 
@@ -22,6 +33,16 @@ All results that fall under the same rule are captured within a single overview:
 > 💡 Previews are not available as DAST scans can't map a scan result to a specific file in the repository.
 
 ## Getting started
+
+### Required permissions
+To use this Action you need to have the following permissions:
+
+```yml
+permissions:
+  security_events: write
+  contents: read
+```
+
 ### Use with (public-facing) URLs
 The easiest way to get started is by running this scan against a URL that is publicly available. Or, in case you use self-hosted Action runners, that is available within the network of your runner.
 
@@ -138,15 +159,8 @@ Build the typescript and package it for distribution
 $ npm run build && npm run package
 ```
 
-Run the tests :heavy_check_mark:  
-```bash
-$ npm test
-
- PASS  ./index.test.js
-  ✓ test runs (95ms)
+Push the changes to your feature branch and wait for the tests to pass :heavy_check_mark:  
 
-...
-```
 
 ## Publish to a distribution branch
 

__tests__/report_json.json

@@ -0,0 +1,69 @@
+{
+	"@programName": "ZAP",
+	"@version": "2.15.0",
+	"@generated": "Fri, 24 May 2024 10:10:23",
+	"site":[ 
+		{
+			"@name": "https://example.com",
+			"@host": "example.com",
+			"@port": "443",
+			"@ssl": "true",
+			"alerts": [ 
+				{
+					"pluginid": "100000",
+					"alertRef": "100000",
+					"alert": "A Server Error response code was returned by the server",
+					"name": "A Server Error response code was returned by the server",
+					"riskcode": "1",
+					"confidence": "3",
+					"riskdesc": "Low (High)",
+					"desc": "<p>A response code of 503 was returned by the server.</p><p>This may indicate that the application is failing to handle unexpected input correctly.</p><p>Raised by the 'Alert on HTTP Response Code Error' script</p>",
+					"instances":[ 
+						{
+							"uri": "https://example.com/pets/35",
+							"method": "DELETE",
+							"param": "",
+							"attack": "",
+							"evidence": "HTTP/1.1 503",
+							"otherinfo": ""
+						}
+					],
+					"count": "1",
+					"solution": "",
+					"otherinfo": "",
+					"reference": "",
+					"cweid": "388",
+					"wascid": "20",
+					"sourceid": "31"
+				},
+				{
+					"pluginid": "100001",
+					"alertRef": "100001",
+					"alert": "Unexpected Content-Type was returned",
+					"name": "Unexpected Content-Type was returned",
+					"riskcode": "1",
+					"confidence": "3",
+					"riskdesc": "Low (High)",
+					"desc": "<p>A Content-Type of */* was returned by the server.</p><p>This is not one of the types expected to be returned by an API.</p><p>Raised by the 'Alert on Unexpected Content Types' script</p>",
+					"instances":[ 
+						{
+							"uri": "https://example.com/pets/28",
+							"method": "DELETE",
+							"param": "",
+							"attack": "",
+							"evidence": "*/*",
+							"otherinfo": ""
+						}
+					],
+					"count": "1",
+					"solution": "",
+					"otherinfo": "",
+					"reference": "",
+					"cweid": "-1",
+					"wascid": "-1",
+					"sourceid": "31"
+				}
+			]
+		}
+	]
+}

action.yml

@@ -4,5 +4,5 @@ branding:
   icon: 'lock'
   color: 'gray-dark'
 runs:
-  using: 'node12'
+  using: 'node20'
   main: 'dist/index.js'